I could use some assistance. I am setting up a Synology NAS as the VPN server.
I stored the cert with the thumbprint under Computer Account > Personal > Certifactes
I am following the user pwatk directions for the setup https://forum.synology.com/enu/viewtopic.php?t=100066
The server log says
Fri Dec 29 10:40:45 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Fri Dec 29 10:40:45 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Dec 29 10:40:45 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Dec 29 10:40:45 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Dec 29 10:40:50 2017 OpenSSL: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find object or property.
Fri Dec 29 10:40:50 2017 Cannot load certificate "THUMB:MY THUMB PRINT" from Microsoft Certificate Store
Fri Dec 29 10:40:50 2017 Exiting due to fatal error
client
dev tun
proto udp
remote $MyPublicIP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ns-cert-type is DEPRECATED
#ns-cert-type server
remote-cert-tls server
comp-lzo
cipher AES-128-CBC
auth SHA256
auth-user-pass
key-direction 1
cryptoapicert "THUMB:MY THUMB"
<ca>
</ca>
<tls-auth>
<ca>
<ca>
-----BEGIN CERTIFICATE-----
$LONG CERT
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
$LONG KEY
-----END OpenVPN Static key V1-----
</tls-auth>
Cannot load certificate THUMB from Microsoft Certificate Store
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Dec 29, 2017 4:22 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Dec 29, 2017 4:22 pm
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
My thumb is correct, just wasn't sure if it was safe to post.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jan 04, 2018 4:11 pm
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
I've had this problem when trying to copy thumbprint information to configure SSL on SQL clusters. It turns out that if you use the mmc snapin to obtain the thumbprint it inserts a hidden character.
https://support.microsoft.com/en-us/hel ... -has-extra
https://support.microsoft.com/en-us/hel ... -has-extra
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
@jasong .. Good find !
And just because I don't like Microsoft here it is in full:
And just because I don't like Microsoft here it is in full:
@Tripline .. Does this help you ?Microsoft wrote:Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character
Symptoms
If you try and copy and paste thumbprint from this snap-in, an extra (invisible) unicode character is being copied also. This can lead to problems that are non-obvious. For example, copy and paste thumbprint into notepad. It appears that thumbprint is copied correctly, but if you try to save document, it reports that the document contains unicode characters.
If you try to copy paste this thumbprint into an application that asks for a certificate thumbprint, this can lead to errors where the invisible unicode character is unknowingly included. For example, there is a scenario in virtual machine manager that asks for a certificate thumbprint. Copy/pasting from this snap-in will lead to a non-obvious failure due to included unicode character.
One of the applications affected with this case is SQL Server when the certificate is needed for SSL Encrytopn of SSL connections. If simply copying the thumbpint from the certificate GUI and pasting it in with the invisible character, SQL Server fails to start.
Cause
This is caused by an issue in Richedit control which is used for the Certificate UI.
Resolution
The following workarounds can be used:
1. Instead of using certificates snap-in and certificate GUI, use certutil command line tool:
- "certutil -store -user my" for the user certificates or,
- "certutil -store my" for the machine certificates.
The thumbprint can be located in the line that starts with "Cert Hash(sha1)"
Cert Hash(sha1): e8 12 4b 42 c4 04 fd ca 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55
2. When using certificates snap-in and certificate GUI, do NOT copy "extra space" that appears before the certificate thumbpint from the Richedit control.
Last Updated: Jan 8, 2017